CVE-2023-2976: Files or Directories Accessible to External Parties

June 14, 2023 (updated February 13, 2024)

Use of Java’s default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

References

github.com/google/guava/commit/feb83a1c8fd2e7670b244d5afd23cba5aca43284
github.com/google/guava/issues/2575
nvd.nist.gov/vuln/detail/CVE-2023-2976

Detect and mitigate CVE-2023-2976 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →